RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



So I have sorted it out now. It turns out that defining "UsePAM yes" was causing the keyboard-interactive mode to occur. The odd thing was that defining "-o KbdInteractiveAuthentication=no" had no effect, although it did not produce an error either meaning it accepted the parameter provided. In the end, I was able to keep the UsePAM option and remove the keyboard-interactive prompt by explicitly defining the authentication methods with "-o PreferredAuthentications=password".

Best regards,
 

Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield@xxxxxxxxxxxxx
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: Nico Kadel-Garcia [mailto:nkadel@xxxxxxxxx] 
Sent: Friday, January 16, 2015 12:22 AM
To: Trey Henefield
Cc: keisial@xxxxxxxxx; dkg@xxxxxxxxxxxxxxxxx; openssh-unix-dev@xxxxxxxxxxx
Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

On Thu, Jan 15, 2015 at 5:54 PM, Trey Henefield <trey.henefield@xxxxxxxxxxxxx> wrote:
> Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied.

RHEL 5 is now 2 major releases behind and was released roughly 7 years ago. Time to update, I think, there have been a *lot* of significant security and architecture changes that can affect the toolchain used to build recent versions of OpenSSH.

> I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided.
>
>
> Best regards,
>
>
> Trey Henefield, CISSP
> Senior IAVA Engineer
>
> Ultra Electronics
> Advanced Tactical Systems, Inc.
> 4101 Smith School Road
> Building IV, Suite 100
> Austin, TX 78744 USA
>
> Trey.Henefield@xxxxxxxxxxxxx
> Tel: +1 512 327 6795 ext. 647
> Fax: +1 512 327 8043
> Mobile: +1 512 541 6450
>
> www.ultra-ats.com
>
> -----Original Message-----
> From: Daniel Kahn Gillmor [dkg@xxxxxxxxxxxxxxxxx]
> Received: Thursday, 15 Jan 2015, 4:03PM
> To: Trey Henefield [trey.henefield@xxxxxxxxxxxxx]; Ángel González 
> [keisial@xxxxxxxxx]
> CC: openssh-unix-dev@xxxxxxxxxxx [openssh-unix-dev@xxxxxxxxxxx]
> Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...
>
> On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:
>> debug3: authmethod_lookup keyboard-interactive
>> debug3: remaining preferred: password
>> debug3: authmethod_is_enabled keyboard-interactive
>> debug1: Next authentication method: keyboard-interactive
>> debug2: userauth_kbdint
>> debug2: we sent a keyboard-interactive packet, wait for reply
>> debug2: input_userauth_info_req
>> debug2: input_userauth_info_req: num_prompts 1
>> Password:
>> debug1: Authentications that can continue: 
>> publickey,password,keyboard-interactive
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup password
>> debug3: remaining preferred:
>> debug3: authmethod_is_enabled password
>> debug1: Next authentication method: password root@10.10.2.51's 
>> password:
>> debug2: we sent a password packet, wait for reply
>> debug1: Authentications that can continue: 
>> publickey,password,keyboard-interactive
>> debug2: we did not send a packet, disable method
>> debug1: No more authentication methods to try.
>> Permission denied (publickey,password,keyboard-interactive).
>>
>>
>> In the above output, the first prompt is "Password:". The second prompt is "root@10.10.2.51's password:"
>
> The first prompt is a keyboard-interactive prompt; the second prompt 
> is the password prompt.  please try again with 
> -oKbdInteractiveAuthentication=no
>
> Regards,
>
>         --dkg
>
> PS if possible, you should probably avoid using password 
> authentication for the root account anyway, but that's a sideline to 
> the issue you're seeing here.
>
> Disclaimer
> The information contained in this communication from trey.henefield@xxxxxxxxxxxxx sent at 2015-01-15 17:54:25 is confidential and may be legally privileged.
> It is intended solely for use by openssh-unix-dev@xxxxxxxxxxx and 
> others authorized to receive it. If you are not openssh-unix-dev@xxxxxxxxxxx you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux